From f9cd60853fcbb189270f4332ab8e2cf3bcb99c95 Mon Sep 17 00:00:00 2001
From: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 1 Feb 2022 11:25:55 +0100
Subject: [PATCH] ssl_tls1X_populate_transform(): import psa keys only if alg
 is not MBEDTLS_SSL_NULL_CIPHER

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/ssl_tls.c        | 46 ++++++++++++++++++++++------------------
 library/ssl_tls13_keys.c | 41 ++++++++++++++++++-----------------
 2 files changed, 47 insertions(+), 40 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 921d82fe5..0c92a059e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1020,32 +1020,36 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         goto end;
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
-    psa_set_key_algorithm( &attributes, alg );
-    psa_set_key_type( &attributes, key_type );
-
     transform->psa_alg = alg;
 
-    if( ( status = psa_import_key( &attributes,
-                             key1,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_enc ) ) != PSA_SUCCESS )
+    if ( alg != MBEDTLS_SSL_NULL_CIPHER )
     {
-        ret = psa_ssl_status_to_mbedtls( status );
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
-        goto end;
-    }
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
+        psa_set_key_algorithm( &attributes, alg );
+        psa_set_key_type( &attributes, key_type );
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+        if( ( status = psa_import_key( &attributes,
+                                key1,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_enc ) ) != PSA_SUCCESS )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 3, "psa_import_key", (int)status );
+            ret = psa_ssl_status_to_mbedtls( status );
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
+            goto end;
+        }
 
-    if( ( status = psa_import_key( &attributes,
-                             key2,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_dec ) ) != PSA_SUCCESS )
-    {
-        ret = psa_ssl_status_to_mbedtls( status );
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
-        goto end;
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+
+        if( ( status = psa_import_key( &attributes,
+                                key2,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_dec ) ) != PSA_SUCCESS )
+        {
+            ret = psa_ssl_status_to_mbedtls( status );
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", ret );
+            goto end;
+        }
     }
 #else
     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 88ff21701..561538678 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -940,30 +940,33 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
         return( psa_ssl_status_to_mbedtls( status ) );
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
-    psa_set_key_algorithm( &attributes, alg );
-    psa_set_key_type( &attributes, key_type );
-
     transform->psa_alg = alg;
 
-    if( ( status = psa_import_key( &attributes,
-                             key_enc,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_enc ) ) != PSA_SUCCESS )
+    if ( alg != MBEDTLS_SSL_NULL_CIPHER )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
-        return( psa_ssl_status_to_mbedtls( status ) );
-    }
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
+        psa_set_key_algorithm( &attributes, alg );
+        psa_set_key_type( &attributes, key_type );
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+        if( ( status = psa_import_key( &attributes,
+                                key_enc,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_enc ) ) != PSA_SUCCESS )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
+            return( psa_ssl_status_to_mbedtls( status ) );
+        }
 
-    if( ( status = psa_import_key( &attributes,
-                             key_dec,
-                             PSA_BITS_TO_BYTES( key_bits ),
-                             &transform->psa_key_dec ) ) != PSA_SUCCESS )
-    {
-        MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
-        return( psa_ssl_status_to_mbedtls( status ) );
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+
+        if( ( status = psa_import_key( &attributes,
+                                key_dec,
+                                PSA_BITS_TO_BYTES( key_bits ),
+                                &transform->psa_key_dec ) ) != PSA_SUCCESS )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
+            return( psa_ssl_status_to_mbedtls( status ) );
+        }
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */